Address feedback

integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/constants.go

@@ -1,5 +1,25 @@
+/*
+Copyright 2023 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package main
 
+// teleportProdOCIPubKey is the key used to sign Teleport distroless images.
+// The key lives in the Teleport production AWS KMS.
+// In case of controlled rotation, we will want to add a second validator with
+// the new key to support the transition period.
 var teleportProdOCIPubKey = []byte(`-----BEGIN PUBLIC KEY-----
 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx+9UZboMl9ibwu/IWqbX
 +wEJeKJqVpaLEsy1ODRpzIgcgaMh2n3BWtFEIoEszR3ZNlGdfqoPmb0nNnWx/qSf

integrations/kube-agent-updater/cmd/teleport-kube-agent-updater/main.go

@@ -20,6 +20,7 @@ import (
 	"flag"
 	"net/url"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/docker/distribution/reference"
@@ -69,7 +70,7 @@ func main() {
 	flag.DurationVar(&syncPeriod, "sync-period", 10*time.Hour, "Operator sync period (format: https://pkg.go.dev/time#ParseDuration)")
 	flag.BoolVar(&insecureNoVerify, "insecure-no-verify-image", false, "Disable image signature verification.")
 	flag.BoolVar(&disableLeaderElection, "disable-leader-election", false, "Disable leader election, used to run the kube-agent-updater out of Kubernetes.")
-	flag.StringVar(&versionServer, "version-server", "https://update.gravitational.io/v1/", "URL of the HTTP server advertising target version and critical maintenances.")
+	flag.StringVar(&versionServer, "version-server", "https://update.gravitational.io/v1/", "URL of the HTTP server advertising target version and critical maintenances. Trailing slash is optional.")
 	flag.StringVar(&versionChannel, "version-channel", "cloud/stable", "Version channel to get updates from.")
 	flag.StringVar(&baseImageName, "base-image", "public.ecr.aws/gravitational/teleport", "Image reference containing registry and repository.")
 
@@ -113,14 +114,14 @@ func main() {
 		os.Exit(1)
 	}
 
-	versionServerUrl, err := url.Parse(versionServer + "/" + versionChannel)
+	versionServerURL, err := url.Parse(strings.TrimRight(versionServer, "/") + "/" + versionChannel)
 	if err != nil {
 		ctrl.Log.Error(err, "failed to pasre version server URL, exiting")
 		os.Exit(1)
 	}
-	versionGetter := version.NewBasicHTTPVersionGetter(versionServerUrl)
+	versionGetter := version.NewBasicHTTPVersionGetter(versionServerURL)
 	maintenanceTriggers := maintenance.Triggers{
-		maintenance.NewBasicHTTPMaintenanceTrigger("critical update", versionServerUrl),
+		maintenance.NewBasicHTTPMaintenanceTrigger("critical update", versionServerURL),
 		maintenance.NewUnhealthyWorkloadTrigger("unhealthy pods", mgr.GetClient()),
 		maintenance.NewWindowTrigger("maintenance window", mgr.GetClient()),
 	}

integrations/kube-agent-updater/pkg/controller/constants.go

@@ -24,11 +24,13 @@ import (
 
 const (
 	// Teleport container name in the `teleport-kube-agent` Helm chart
-	teleportContainerName        = "teleport"
-	defaultRequeue               = 30 * time.Minute
-	reconciliationTimeout        = 2 * time.Minute
-	kubeClientTimeout            = 1 * time.Minute
-	skipReconciliationAnnotation = "kubernetes.teleport.dev/skip-reconciliation"
+	teleportContainerName = "teleport"
+	defaultRequeue        = 30 * time.Minute
+	reconciliationTimeout = 2 * time.Minute
+	kubeClientTimeout     = 1 * time.Minute
+	// skipReconciliationAnnotation is inspired by the tenant-operator one
+	// (from the Teleport Cloud) but namespaced under `teleport.dev`
+	skipReconciliationAnnotation = "teleport.dev/skipreconcile"
 )
 
 var (

integrations/kube-agent-updater/pkg/img/insecure.go

@@ -1,3 +1,19 @@
+/*
+Copyright 2023 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package img
 
 import (
@@ -25,8 +41,9 @@ func (v *insecureValidator) Name() string {
 // we might get called in a loop indefinitely. To mitigate the impact of such
 // failure, ValidateAndResolveDigest should cache its result.
 
-// ValidateAndResolveDigest resolves the image digest and validates it was
-// signed with cosign using a trusted static key.
+// ValidateAndResolveDigest resolves the image digest and always return the
+// image is valid. Using this validator makes you vulnerable in case of image
+// registry compromise.
 func (v *insecureValidator) ValidateAndResolveDigest(ctx context.Context, image reference.NamedTagged) (NamedTaggedDigested, error) {
 	ref, err := NamedTaggedToDigest(image)
 	if err != nil {

integrations/kube-agent-updater/pkg/podutils/filter.go

@@ -63,6 +63,12 @@ func Not(filterFunc FilterFunc) FilterFunc {
 	}
 }
 
+// podReadinessGracePeriod represents how much time we wait before we consider
+// the pod (and a fortiori the workload) unhealthy. We might want to empirically
+// tune this value. A higher value can lead to workloads being stuck longer in
+// case of error. A shorter value might cause false positives and trigger
+// updates because of other cluster-related events like network issues, registry
+// downtime or missing capacity.
 const podReadinessGracePeriod = 5 * time.Minute
 
 // IsUnhealthy checks if a pod has not been ready since at least 10 minutes/